This change adds a generic method of configuring clean step
priorities instead of making changes in Ironic code every time a new
clean step is introduced.
Change-Id: I56b9a878724d27af2ac05232a1680017de4d8df5
Story: 1618014
The initial RAID levels have been extended by levels 5 and 6.
Update the documentation to reflect this.
Change-Id: Ifd7eb9d836b6fbf0a08648654ef2080b9717be83
In some cases the operator can't specify `ipmi_cipher_suite`
for each node and the problem with session can still occour:
`Error in open session response message : no matching cipher suite`
This patch adds a new configuration option that will take a list
of possible cipher suite versions that can be used when the error
occurs and the node doesn't have the `ipmi_cipher_suite` set.
Story: 2008739
Task: 42093
Change-Id: I6788585a83268e20ff6447e570995871bc9c25d5
Virtual media deployments can be conducted outside of the provisioning
network as long as the node gets an IP address somehow and can reach
ironic and its HTTP server. This changes adds new configuration that
allows to use public IP addresses for virtual media while keeping PXE
boots working and constrained to the provisioning network.
Change-Id: I8b859b2812160ff3911eb7d648eab835ef61d934
Story: #2008566
Task: #41706
This change adds support to pre-built ISO images via the new driver_info
parameters redfish_deploy_iso and redfish_rescue_iso, similarly to the
iLO hardware type.
Also removes overly eager mocking in image unit tests.
Change-Id: I1366791a6c6eb34f3a43337c4199592783765912
Adds MVP support for idrac-redfish to RAID interface. Based on
generic redfish implementation, but requires OEM extension
to check when `Immediate` time becomes available shortly
after IPA starts executing steps.
Does not support foreign disks, convert from non-RAID mode.
Story: 2008602
Task: 41778
Depends-On: https://review.opendev.org/c/x/sushy-oem-idrac/+/776224
Change-Id: Iefb7f882c97e33a176962e4e907163d9e4809445
This patch increments the API version for the Secure RBAC
as was covered in the specification in order to signify to
API consumers that may need to be aware if the API surface
can support Secure RBAC policy configuration.
Change-Id: Ia659708bb89ff416b65367505d3e068c6d4a198f
Deprecates legacy policies which will be removed at a later point in
time. Notes these in a release note which covers project scoped access
enablement, and updates the Secure RBAC docs to cover additional details
Special thanks to Rammstein Radio on Pandora, for without this and all
of the amazing artists it brought to my coding jam sessions, this effort
would not have reached any sort of conclusion in the relatively short
time for such a massive amount of work.
Change-Id: I3bf0fa0de07e19d6058f0299e7abbff91b48b360
Adds a new argument disable_ramdisk to the manual cleaning API.
Only steps that are marked with requires_ramdisk=False can be
run in this mode. Cleaning prepare/tear down is not done.
Some steps (like redfish BIOS) currently require IPA to detect
a successful reboot. They are not marked with requires_ramdisk
just yet.
Change-Id: Icacac871603bd48536188813647bc669c574de2a
Story: #2008491
Task: #41540
Adds policy scope based RBAC handling for the allocations
endpoing which enables admins to create allocations if
they have baremetal nodes which are available to them.
Change-Id: I60e273afaf344fded9bdb8c4c8e143efc9971fc1
I never got around to adding in an initial pass on system scoped
interaction and use with secure rbac. This change adds a high level
overview to help explain the context.
Change-Id: I4dca32c882f484e75378aca8bb043ebd078a13cf
Split the monolithic guide into several pages: configuration, enrollment
and deployment. Merge duplicating docs into the common locations.
Use code-block for nicer highlighting.
Change-Id: Iaeef9e0cf8deba20a125d3cfacd4ca8ca2f52e84
Chances are much higher the users will find it there. Also correct some
wording (node interfaces -> hardware interfaces), use double ticks for
field names and mention the Wallaby release.
Story: #2008652
Task: #42015
Change-Id: I33956976a9420ade836ab8d37a9488b9a207cef0
This change allows instance_info values to override node interface
definitions, so non-admins can make temporary changes to various
interfaces.
Story: #2008652
Task: #41918
Change-Id: I6c3dc74705bde02bd02882d14838f184f8d4a5e3
This reverts commit b0df0960e2c53a4fe6673ba0a1ed546ffd156dc7.
Reason for revert: Need to split in separate patches and backport virtual media boot part.
Change-Id: Ib182ee6f2894fcdcea369a60dc5bd922a16434e2
This patch adds project scoped access, as part of the work
to delineate system and project scope access.
Adds policies:
* baremetal:volume:list_all
* baremetal:volume:list
* baremetal:volume:view_target_properties
Change-Id: I898310b515195b7065a3b1c7998ef3f29f5e8747
This patch implements the project scoped rbac policies for a
system and project scoped deployment of ironic. Because of the
nature of Ports and Portgroups, along with the subcontroller
resources, this change was a little more invasive than was
originally anticipated. In that process, along with some
discussion in the #openstack-ironic IRC channel, that it
would be most security concious to respond only with 404s if
the user simply does not have access to the underlying node
object.
In essence, their view of the universe has been restricted as
they have less acess rights, and we appropriately enforce that.
Not expecting that, or not conciously being aware of that, can
quickly lead to confusion though. Possibly a day or more of
Julia's life as well, but it comes down to perceptions and
awareness.
Change-Id: I68c5f2bae76ca313ba77285747dc6b1bc8b623b9
* Adds additional policies:
* baremetal:node_get:last_error
* baremetal:node:get:reservation
* baremetal:node:get:driver_internal_info
* baremetal:node:get:driver_info
* baremetal:node:update:driver_info
* baremetal:node:update:properties
* baremetal:node:update:chassis_uuid
* baremetal:node:update:instance_uuid
* baremetal:node:update:lessee
* baremetal:node:update:driver_interfaces
* baremetal:node:update:network_data
* baremetal:node:update:conductor_group
* baremetal:node:update:name
* With new policies, responses of filtering and posted data is
performed. Testing has been added to the RBAC testing files
to align with this and the defaults where pertinant.
* Adds another variation of the common policy check method
which may be useful in the long term. This is too soon to
tell, but the overall purpose is to allow similar logic
patterns to the authorize behavior. This is because the
standard policies are, at present, also used to control
behavior of response, and node response sanitization needs
to be carefully navigated.
This change excludes linked resources such as /nodes/<uuid>/ports,
portgroups, volumes/[targets|connectors]. Those will be in later
changes, as the node itself is quite a bit.
Special note:
* The indicator endpoint code in the API appears to be broken
and given that should be fixed in a separate patch.
Change-Id: I2869bf21f761cfc543798cf1f7d97c5500cd3681
This change adds support for utilising NVMe specific cleaning tools
on supported devices. This will remove the neccessity of using shred to
securely delete the contents of a NVMe drive and enable using nvme-cli
tools instead, improving cleaning performance and reducing wear on the device.
(this specific change adds extra documentation to the earlier set of
patches implementing this).
Story: 2008290
Task: 41168
Change-Id: Ia6d34b31680967a0d14687e5a54d68a1f1644308
